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SNOWGLOBE: 

From Discovery to Attribution 




Safeguarding Canada's security through information superiority 
Preserver la security du Canada par fa superiority de {'information 
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Attribution 

SNOWGLOBE 

Questions 



Safeguarding Canada's security through information superiority 
Preserver la securite du Canada par la superiorite de /'information 
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Esta blish me nt Can ada des te I eco mmu n scati on s Canada 

Victimology: Iran 

• Iranian MFA 

• Iran University of Science and Technology 

• Atomic Energy Organization of Iran 

• Data Communications of Iran 

• Iranian Research Organization for Science Technology, 
Imam Hussein University 

• Malek-E-Ashtar University 
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Victimology: Global 




• Five Eyes 

- Possible targeting of a French-language Canadian media 
organization 

• Europe 

- Greece 

• Possibly associated with European Financial Association 

- France 

- Norway 

- Spain 

• Africa 

- Ivory Coast 

- Algeria 
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Discovery 

Development 

Victimology 

Attribution 

SNOWGLOBE 

Questions 



Safeguarding Canada's security through information superiority 
Preserver la securite du Canada par la superiorite de I 'information 
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Attribution: Binary Artifacts 



ntrass.exe 

- DLL Loader uploaded to a victim as 
part of tasking seen in collection 

- I nternal Name: Babar 

- Developer username: titi 

Babar is a popular French 
children's television show 

Titi is a French diminutive for 
Thiery, or a colloquial term for a 
small person 




s afeg u^QP da $EQm^ dLCQUW II REL TO CAN, AUS, 



Preserver la. 



iorite de {'information 



Overall Classification: TOP SECRET // COMINT // REL TO CAN, AUS, GBR, NZL. USA 



1*1 



Communications Security Centre de la securite 
Establishment Canada des telecommunications Canada 



Attribution: Intelligence Priorities 



• Iranian science and technology 

- Notably, the Atomic Energy Organization of Iran 

- Nuclear research 

• European supranational organizations 

- European Financial Association 

• Former French colonies 

- Algeria, Ivory Coast 

• French-speaking organizations/areas 

- French-language media organization 

• Doesn't fit cybercrime profile 
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La traque de Babar 

7 Pages - Contributed by Martin Untersinger , Le Monde - Mar 21 , 2014 



CSEE (p. 1) 

Le CSEC est Fagence canadienre chargee des leieoomrminicatrans [equivalent de la 



Victi mo logic ip. 2) 



VICTIMOLOGY 



Celts partie du document est dediee aux victimesdu programme inTormatique sur lequel s'est penche le CSEC. 



Infomialiaiis sensible: (p i> 

Nous awns choisi de ne publier qUune partie du document sur lequel nous awns travaille. ce dernier contenant des 
imtorrriatbris relatives a une operation renrsegne merit rxiterHiellernenrt encore en cours. 



Ministere tie & affaires etrangeres iranien (p. 3) 

Iranian MFA 

L 

Medias canadieras :p. 4} 

- Possible targeting of a French-language Canadtan media 
organization 

Des media scanadiens francoptiones pcurraient faire partie des victirnes du programme inafreillant. 



Attribution (p. 5) 



ATTRIBUTION 



Les pages qu silent sort deslinees a determiner qui se cache derriere "Snowglobe - 
DLL (p. 6) 

DLL Loader upioaded to a victinn as * \^ 

II s'agit ici dun programme, une composante de "Sncwglobe". oorKju pour etre insere dans I'ordinateur de la cible 



Prirwites (p. 7) 



Attribution: Intelligence Priorities 




Sur relte page, le C5EC resume les cible-s de "Snbowglobe" pour err faire apparaitre les- principal priories. 



